Configure Port Mirroring

[Contents] [Prev] [Next] [Index] [Report an Error]

Configure Port Mirroring
On routers containing a Internet Processor II ASIC or T-series Internet Processor, you can send a copy of an IPv4 packet from the router to an external host address or a packet analyzer for analysis. This is known as port mirroring.

Port mirroring is different from traffic sampling. In traffic sampling, a sampling key based on the IPv4 header is sent to the Routing Engine. There, the key can be placed in a file, or cflowd packets based on the key can be sent to a cflowd server. In port mirroring, the entire packet is copied and sent out through a next-hop interface.

You can configure simultaneous use of sampling and port mirroring, and set an independent sampling rate and run-length for port-mirrored packets. However, if a packet is selected for both sampling and port mirroring, only one action can be performed and port mirroring takes precedence. For example, if you configure an interface to sample every packet input to the interface and a filter also selects the packet to be port mirrored to another interface, only the port mirroring would take effect. All other packets not matching the explicit filter port-mirroring criteria continue to be sampled when forwarded to their final destination.

To prepare traffic for port mirroring, include the filter statement at the [edit firewall family inet] hierarchy level:
[edit firewall family inet]
filter filter-name;
This filter selects traffic to send into the VRF instance.

To configure port mirroring on a logical interface, configure the following statements at the [edit forwarding-options port-mirroring] hierarchy level:
[edit forwarding-options port-mirroring]
input {
    family inet {
        rate rate;
        run-length number;
    }
}
output {
    interface interface-name {
        next-hop address;
    }
    no-filter-check;
}
traceoptions {
    file filename {
        files number;
        size bytes;
        (world-readable | no-world-readable);
    }
}
Specify the port-mirroring destination by including the next-hop statement at the [edit forwarding-options port-mirroring output] hierarchy level:
[edit forwarding-options port-mirroring output]
interface interface-name {
    next-hop address;
}
The no-filter-check statement is required when you send port-mirrored traffic to a Tunnel PIC that has a filter applied to it.

The interface is the output interface used to send the packets to the analyzer. You can use any physical interface type, including generic routing encapsulation (GRE) tunnel interfaces. The next-hop address specifies the destination address; this statement is mandatory for non-point-to-point interfaces, such as Ethernet interfaces.

If your router is equipped with a Tunnel PIC, you can forward duplicate packets to multiple interfaces by configuring a next-hop group. To configure a next-hop group, include the next-hop-group statement at the [edit forwarding-options] hierarchy level:
[edit forwarding-options]
next-hop-group [ group-names ] {
    interface interface-name {
        next-hop [ addresses ];
    }
}
The interface statement specifies the interface that sends out sampled information. The next-hop statement specifies the next-hop addresses to which to send the sampled information.

Next-hop groups have the following restrictions:

Next-hop groups are supported for IPv4 addresses only.

Next-hop groups are supported on M-series routers only, except the M320.

Next-hop groups support up to 16 next-hop addresses.

Up to 30 next-hop groups are supported.

Each next-hop group must have at least two next-hop addresses.

To configure the sampling rate or duration, include the rate or run-length statements at the [edit forwarding-options port-mirroring input family inet] hierarchy level.

In typical applications, you send the sampled packets to an analyzer or a workstation for analysis, rather than another router. If you must send this traffic over a network, you should use tunnels. For more information about tunnel interfaces, see Configure Tunnel Interfaces.

You can trace port-mirroring operations in the same way as you trace sampling operations. For more information, see Trace Traffic Sampling Operations.

The following restrictions apply to port-mirroring configurations:

You cannot configure firewall filters on the port-mirroring interface.

The interface you configure for port mirroring should not participate in any kind of routing activity.

The destination address you specify should not have a route to the ultimate traffic destination. For example, if the sampled IPv4 packets have a destination address of 190.68.9.10 and the port-mirrored traffic is sent to 190.68.20.15 for analysis, the device associated with the latter address should not know a route to 190.68.9.10. Also, it should not send the sampled packets back to the source address.

Only IPv4 traffic is supported.

Only transit data is supported.

You can configure only one port-mirroring interface per router. If you include more than one interface in the port-mirroring statement, the previous one is overwritten.

You must include a firewall filter with both the accept action and the sample action modifier on the inbound interface. Do not include the discard action, or port mirroring will not work.

If the port-mirroring interface is a non-point-to-point interface, you must include an IP address under the port-mirroring statement to identify the other end of the link. This IP address must be reachable for you to see the sampled traffic. If the port-mirroring interface is an Ethernet interface, the router should have an Address Resolution Protocol (ARP) entry for it. The following sample configuration sets up a static ARP entry.

You do not need to configure firewall filters on both inbound and outbound interfaces, but at least one is necessary on the inbound interface to provide the copies of the packets to send to an analyzer.

Examples: Configure Port Mirroring

Send port mirrored traffic to multiple cflowd servers or packet analyzers:
[edit interfaces]
ge-1/0/0 {                                                # This is the input interface where packets enter the 
router.
    unit 0 {
        family inet {
            filter {
                input mirror_pkts;                                # Here is where you apply the first filter.
            }
            address 11.11.0.1/24;
        }
    }
}
ge-1/1/0 {                                                # This is an exit interface for HTTP packets.
    unit 0 {
        family inet {
            address 11.12.0.1/24;
        }
    }
}
ge-1/2/0 {                                                # This is an exit interface for HTTP packets.
    unit 0 {
        family inet {
            address 11.13.0.1/24;
        }
    }
}
so-0/3/0 {                                                # This is an exit interface for FTP packets.
    unit 0 {
        family inet {
            address 1.1.1.1/30;
        }
    }
}
so-4/3/0 {                                                # This is an exit interface for FTP packets.
    unit 0 {
        family inet {
            address 2.2.2.2/30;
        }
    }
}
so-7/0/0 {                                                # This is an exit interface for all remaining packets.
    unit 0 {
        family inet {
            address 5.5.5.5/30;
        }
    }
}
so-7/0/1 {                                                # This is an exit interface for all remaining packets.
    unit 0 {
        family inet {
            address 6.6.6.6/30;
        }
    }
}
vt-3/3/0 {                                                # The tunnel interface is where you send the port mirrored 
traffic.
    unit 0 {
        family inet;
    }
    unit 1 {
        family inet {
            filter {
                input collect_pkts;                                # This is where you apply the second firewall filter.
        }
        }
    }
}
[edit forwarding-options]
port-mirroring {                                # This is required when you configure next-hop groups.
    input {
        family inet {
            rate 1;                    # This rate port mirrors one packet for every one received (1:1 = all 
packets).
        }
    }
    output {                            # This sends traffic to a tunnel interface to prepare for multiport 
mirroring.
        interface vt-3/3/0.1;
        no-filter-check;
    }
}
next-hop-group ftp-traffic {                                            # Point-to-point interfaces require you to specify the interface 
name only.
    interface so-4/3/0.0;
    interface so-0/3/0.0;
}
next-hop-group http-traffic {                                            # You need to configure a next hop for multipoint interfaces 
(Ethernet).
    interface ge-1/1/0.0 {
        next-hop 11.12.0.2;
    }
    interface ge-1/2/0.0 {
        next-hop 11.13.0.2;
    }
}
next-hop-group default-collect {
    interface so-7/0/0.0;
    interface so-7/0/1.0;
}
[edit firewall]
family inet {
    filter mirror_pkts {                                        # Apply this filter to the input interface.
        term catch_all {
            then {
                count input_mirror_pkts;
                port-mirror;                            # This action sends traffic to be copied and port mirrored.
                accept;
            }
        }
    }
    filter collect_pkts {                                        # Apply this filter to the tunnel interface.
        term ftp-term {                                    # This term sends FTP traffic to an FTP next-hop group.
            from {
                protocol ftp;
            }
            then next-hop-group ftp-traffic;
        }
        term http-term {                                    # This term sends HTTP traffic to an HTTP next-hop group.
            from {
                protocol http;
            }
            then next-hop-group http-traffic;
        }
        term default {                                    # This term sends all remaining traffic to a final next-hop 
                group.
            then next-hop-group default-collectors;
        }
    }
}

[Contents] [Prev] [Next] [Index] [Report an Error]